icetray - Fotolia
Microsoft Defender zero-day fixed for January Patch Tuesday
In addition to the fix for its antivirus software, Microsoft also corrected a publicly disclosed printer driver flaw that affected Windows client and server systems.
On January Patch Tuesday, Microsoft plugged a critical zero-day exploit in Microsoft Defender that administrators should check to ensure the automatic update function eliminated the bug.
Of the 83 unique vulnerabilities, 10 were rated critical. In addition to the zero-day fix in the Microsoft Malware Protection Engine, Microsoft released security updates for the Windows client and server OSes, Microsoft Edge (HTML-based version), Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, Visual Studio, SQL Server, .NET Core, .NET Repository, ASP.NET and Azure. There were no patches for Internet Explorer this month.
Microsoft Defender zero-day tops list of concerns for January Patch Tuesday
Microsoft Defender products typically fall outside the scope of the Windows administrators' patching duties due to the automatic update feature, but not every system is connected to the internet. A critical remote-code execution vulnerability (CVE-2021-1647) affects multiple products that use the Microsoft Malware Protection Engine, including Windows Defender in the Windows Server and client OSes, as well as Microsoft System Center Endpoint Protection and Microsoft Security Essentials products.
According to a blog from Automox, an endpoint and workload management platform provider, the threat actor can trigger the exploit either through access to a local machine or by tricking a user to open a malicious document.
"Affected versions of Defender date back to late October 2020. It's possible the attackers have been exploiting this Zero Day undetected for nearly three months, meaning applying this patch now is extraordinarily essential," according to Automox.
Most organizations should already have the updated version of the Microsoft Malware Protection Engine, which updates itself automatically with the default configuration. But Microsoft recommends that administrators check their systems have version 1.1.17700.4 or later.
Chris Goettl
According to Chris Goettl, senior director of product management for security products at Ivanti, administrators should employ an endpoint management product or use a PowerShell script to run daily checks on their antivirus software to catch potential problems with software engine patches or virus definition updates.
"Companies should audit for that version number because one of the first things that the threat actor or malware is going to do is try to block any updates for whatever threat protection is running on that system," Goettl said.
Microsoft corrects publicly disclosed printer driver bug
Microsoft also delivered a fix for an elevation of privilege vulnerability (CVE-2021-1648) rated important in the 32-bit printer driver host for both Windows Server and client OSes. Microsoft credited Google's Project Zero and Trend Micro's Zero Day Initiative with discovering the bug. Goettl noted this vulnerability could be used for both privilege escalation and information disclosure.
"If [the threat actors] get in as a general user with limited access, they could get to the privilege level of the user that is currently logged on," Goettl said. "In this world of 'admin everywhere,' in most organizations, that means you've got full admin rights to the local machine. Otherwise, it could allow them to step up to a power-user level if the current user doesn't have full admin rights. So [the vulnerability] offered a variety of different options for the attacker, depending on the state of the machine and the user that was logged on at the time."
Important vulnerabilities still require close attention
Threat actors continue to pay keen attention to SharePoint. Microsoft corrected six vulnerabilities rated important (CVE-2021-1641, CVE-2021-1707, CVE-2021-1712, CVE-2021-1717, CVE-2021-1718 and CVE-2021-1719) in the collaboration product.
An attacker with system credentials could exploit a SQL Server elevation of privilege vulnerability (CVE-2021-1636) rated important by sending data over a network to servers configured to run an extended event session.
Organizations that rely on developer tools and technologies should be aware of multiple vulnerabilities in this area, including Microsoft's Azure Kubernetes Service (CVE-2021-1677), the Microsoft Bot Framework software development kit (CVE-2021-1725), ASP.NET Core (CVE-2021-1723) and Visual Studio (CVE-2020-26870, CVE-2021-1651, CVE-2021-1680 and CVE-2021-1723).
It's fairly commonplace for administrators to underestimate bugs with a severity level below critical and delay patches, particularly for developer-based products, Goettl said.
"There's not a month that goes by that there isn't a half-dozen Microsoft dev tools in the list of things being resolved," Goettl said. "These groups must continually push the latest versions of those toolchains into their process and make sure they're patching those vulnerabilities -- and there are a lot of them in there -- or they will stack up and threat actors are going to take advantage of them. They're looking to that toolchain of development tools as a critical weakness in today's infrastructure."
